bɹo˙ǝpıןsdou˙boןq

2015/04/11

I've spent some time lately tearing apart the SEP Local Quarantine files, luckily they seem to be much less complicated than the SEP Central Quarantine files, but they seem to use the same basics in terms of structures used to store data and indicate field sizes. The big problem is that once you lift VBN files from the original device, Symantec's QExtract tool is basically useless, and there is no way SEP will extract it on another machine.

Many forensic blogs suggest doing XOR to obtain the binary, but in most cases the binaries are also split into 4k chunks with data structures starting with 0x09 followed by 4 bytes indicating the size of the chunk. I think Hexacorn blog(1) was the frst to point out the existence of such "chunk separators", but Shane King(2) was the one that figured out that the 4 bytes there stand for the size of the chunk. Having a file peppered with such chunks might ruin your day if you are going to do anything serious with the extracted file. Since, I didn't want to limit the extraction to just PE binaries, I had to try to figure out some of these structures across a set of samples that I had available.

The other day, I was almost done with the extraction piece, when one of the more anomalous .VBN files turned out to contain two payloads. Luckily, it turned out to be the exactly the same binary as the first one, well at least the size and MD5 did match.

So the code is available on github:
https://github.com/frbapolkosnik/crits_services/blob/seplq_service/SEPLQ_service/SEPLQ.py

And you can either use it in CRITs or just import it into your little script, and save the payload the way you like.

2014/06/26

Lately, I was able to get my hands on a used/refurbished WZR-1750DHP. Amazon marketplace had it in virtually new condition for under $90. 512MB of memory and dual core SoC made me think that it could be worth it.

The original Buffalo firmware, while nice, was a major PITA straight from the 90s; almost any config change required a reboot. Turns out that Buffalo has WZR-1750DHPD, which essentially is the same thing with a nicely done DD-WRT firmware. It turns out that it's relatively easy to flash the Buffalo-supported DD-WRT firmware onto WZR-1750DHP.

After loading Buffalo-supported version, the router turns into a far superior device than almost anything I had before. The only con is lack of the external antennas for extended range.

2014/04/17

I've been working on improving my Central Quarantine extractor script lately. One of the snags I hit was a stupid bug in zipfile module in Python 2.x-3.4.

It has to do with archive names not matching between two different places. When such mismatch occurs zipfile simply raises an exception and refuses to extract the files.

This mismatch thing is actually a feature in Zip format that allows the files to be effortlessly renamed without any need to re-pack the various files stored inside the ZIP file.

Since I was making sure that my code runs fine on both Python 2.7.6 and 3.4 the only point of contention was the bastardized zipfile module. The one from 2.7.6 would error out with Python 3.4 and the one from 3.4 would do the same whe running on 2.7.6... I've added a conditional importing, but I've not tested it with other versions of Python...

After jumping through the hoops to ensure that my code runs properly on Python 3.4, I feel much better now that it also works perfectly well with 2.7.6.

2012/09/16

It seems that I'm breaking out of a coding coma lately. I've started fixing stuff in Kludge, and it is fun. The downside is that it is really time consuming, as nothing comes easy when one needs to dig into the details.

Running it through Caesar cipher with offset of 7 it turns it into the following question:
WHAT CIPHER'S ALTERNATE NAME HIDES THE FACT THAT IT INVOLVES PLAYING CARDS?

Quick googling session reveals the answer.

Flag: pontifex

Crypto 2
Points:75
Instructions:We got the password hashes from a system but don't know what to do with them. -- Crack the passwords and concatenate them alphabetically for the key. Submit in all uppercase, no spaces.
Category:Crypto/Stego
File:2d2cda7a3f0b8f0b292c646f94bf9836073e94db

Points:175
Instructions:Crack the cipher, get the key ------------ The key to the cipher is the answer. Submit the key in all lower case, no spaces
Category:Crypto/Stego
File:17ca6426ac08cef3641a5695667c921af89edb82

Plugging that into http://smurfoncrack.com/pygenere/pygenere.php and expanding the length of codewords to try to 20 yelds just slightly misspelled answer"INDECIPHERLBLECIPHER"

With the proper key it decodes to:
casessensoryinputwarpedwiththeirvelocityhismouthfilledwithanachingtasteofbluehiseyeswereeggsofunstablecrystalvibratingwithafrequencywhosenamewasrainandthesoundoftrainssuddenlysproutingahummingforestofhairfineglassspinesthespinessplitbisectedsplitagainexponentialgrowthunderthedomeofthetessierashpoolicetheroofofhismouthcleavedpainlesslyadmittingrootletsthatwhippedaroundhistonguehungryforthetasteofbluetofeedthecrystalforestsofhiseyesforeststhatpressedagainstthegreendomepressedandwerehinderedandspreadgrowingdownfillingtheuniverseoftadownintothewaitinghaplesssuburbsofthecitythatwasthemindoftessierashpoolsaandhewasrememberinganancientstoryakingplacingcoinsonachessboarddoublingtheamountateachsquareexponentialdarknessfellinfromeverysideasphereofsingingblackpressureontheextendedcrystalnervesoftheuniverseofdatahehadnearlybecomeandwhenhewasnothingcompressedattheheartofallthatdarktherecameapointwherethedarkcouldbenomoreandsomethingtorethekuangprogramspurtedfromtarnishedcloudcasesconsciousnessdividedlikebeadsofmercuryarcingaboveanendlessbeachthecolorofthedarksilvercloudshisvisionwassphericalasthoughasingleretinalinedtheinnersurfaceofaglobethatcontainedallthingsifallthingscouldbecounted

When revieved through the "hexdump -C" or "strings" you can clearly see that the strings don't read quite right, it seems that the endianness is flipped.

to reverse that and get the key in a single liner we can do:

$ dd if=dd_rtfm conv=swab | strings | grep n00b

Flag: Silly n00b -- arguments are for l337!

Forensics 3

Points:200

Instructions:You know that guy? The one who always hides his screen when you walk by? You're never quite sure what he's up to? Yeah -- you know him. Well we need to know what he's up to. We're moving his desk to the basement, and you remember what happened last time... We managed to get a memory dump and a file we think he was working with from his system, but we don't know what to do with it. -- Submit the key in ALL CAPS

Category:Forensics

File:5748b64df3c691d1766e793e8dcf23b05383899d

Packet 1

Points:25

Instructions:Who would cross the Bridge of Death must answer me these questions three, ere the other side he see. What should the Checksum always be for IPXWAN___ How many reserved bits in the TCP header, and what must it always be___ The code for a Point to Point Protocol Discard Request --------------------- Find the answer to these three questions, concat them for the first half of the answer, append with the color it creates (answers123Color)

Category:Packet

File:(none)

Flag: FF6011Orange

Packet 2

Points:150

Instructions:What an odd way to send a secret message... ------------------------ answer format is md5(key including all spaces)

Binhex decodes a zip file with an image of message written in Braile, which decodes into a question along the lines of (the decode might be not exact):

"On November 2 1988 what worm was unleashed?"

Flag: MORRISWORM

Potpourri 2

Points:125

Instructions:The PDF spec is so error tolerant, even the monkey from the infinite monkey theorem couldn't reproduce it! -- Submit the key as found

Category:Potpourri

File:cc7931560f8fc6d8df26f058afc6b8b03e31ae60

After decompressing a pdf with hamlet is revealed. One could search for the original pdf and diff it. The result of diff would indicate an object 368 being added. I've used my custom version of pdf-parser to dump the media files for me. Object 368 is an jpg image containing the key.

Instructions:Do you believe in magic? What tasty hex number was originally used to mark newly allocated (freed) memory prior to initialization? -- Submit the key as hex, all uppercase (so 0x[UPPERCASE])

Category:Reversing

File:(none)

Flag: 0xDEADBEEF

Reversing 3

Points:175

Instructions:Blast from the not-so-distant past... in more ways than one. -- Submit the key as found

Category:Reversing

File:ad32c019ae35816ce196db2042d572e41875cd44

Another pdf challenge, the pdf is wrapped in a C64 disk image among other things. The pdf contains a javascript, which won't run unless it detects AdobeReader version 5, and then it pops up a question for the code. It turns out that there is a common multiplier to the algorithm used, once one extracts the code and runs it in a debugger or modifies the pdf. It's pretty easy to derive the multiplier by plugging 1, then 10. The result has to be rounded up with no decimal places.

2012/05/16

Today I'm going to share some thoughts about various NAS devices I've considered for my home environment.

Number one objective is to have a power efficient device, since these things will most of the time sit there and contribute to your monthly electricity bill.

Couple of years ago I've decided to try Thecus N2100, it seemed nice and hackable and it had two GigE ports, but it had a really IO subsystem making it really slow. I was hoping that the bugs could be worked out, but it didn't happen. So, I've popped two WD green drives (1TB), replaced the internal fan with a quieter one, upgraded the memory to 512MB. The transfers are still really slow and the included version of BusyBox is pretty outdated and buggy. If you have filenames with some bad characters in them, or lots of files in the folders some services such as the Mediabolic media server would just crash. It's real legacy hardware now, the CPU on the unit is plagued with some serious bugs and the original kernel seems to be much better than most other available. I've tried different things with it, but I wanted to keep it fairly stock, so adding the extra modules was the way to go. But eventually I got tired of it, and I've decided to retire it, after running it for a few months 24/7. I needed a device with an ftp server, and enough storage to be able to serve some content through DLNA and DAAP (iTunes-like).

One of the days I was looking for Raspberry Pi (still waiting for my order to arrive) specs and I've noticed a pink Pogoplug on sale for $25. Once I found out that it has a SATA port on the inside, I thought that I could use this thing to replace functionality of my other NAS. In a way this would be a downgrade, from two SATA ports to one, but on the other hand 4 USB ports and less power hungry device with support for optware seems like a perfect match. Not to mention the initial investment part. So, I've chopped off a little sliver of the back cover to run the 90-degrees-angled SATA to e-sata cable, and it's almost ready. All I need now is a decent e-SATA drive dock or an enclosure and it's ready.

One of the big selling points for me was the 5GB of free cloud storage, that shows up up in the management screen as another drive. I'm trying to keep my ISP costs down, so my link is seriously limited in upstream bandwidth, so I was able to use that to host my pictures for my family members.

Another great feature is the built-in DLNA media server. It's been pretty stable, one of short comings was that it wouldn't index my small 80GB drive for the movies, but then luckily I was able to find the 5GB of the ShmooCon 2012 videos by browsing through folders.

It goes without saying that the thing allows one to turn on the built in ssh server, and mount optware from the USB drive

My final solution to the problem became much simpler than ones listed the above, and it entails a relatively beefy broadband router with an USB port, a few tiny 32GB flash drives, an USB hub, and OpenWRT. It is still having some little issues that I'll have to take time to iron out, but at least it serves a multitude of tasks. So, I have there an VPN server, an ftp server, a samba share, DLNA media server, DAAP (iTunes compatible) server, and I couldn't be happier with it. It allows me to use Wake-on-LAN to turn on my beefier media server based on HP N40L microserver and OpenMediaVault when needed, where I have much more space for my git repositories, family albums, as well as vacation pictures and videos.